itsUndefined
commented
6 years ago What you described on how OAuth2.0 is correct.
Now for your confusion, only the creator of the client can see it. That is because you could let users create their own clients ( if you allow 3rd parties to create apps with your api ). The client they created is then owned to them. Laravel has some vue components that can be used to allow your users to create such clients. You wouldn't want each user to see all clients on the system.
Here is an example to better explain what I am saying: Everyone has a facebook account. A person is creating a website and he decided that he wants to include facebook authentication so that his users will not need to register an account with email and username. That person goes to developer.facebook.com and creates a client with the name of his website and enables the facebook auth service. He can then add his client id and secret to his website's server to get the required functionality.
stefro
MatthewSH
Hi,
I'm cross-posting this from the Laracast forum. On second thought I think this questions belongs here on github.
We would like to open up some data from our customers to another SaaS who has the same customers through an API. I’ve studied many cases on Passport lately and I think now I understand the basic idea of oAuth with Laravel Passport. There is just one thing bugging me that I just can’t seem to understand. I really hope someone can explain me the logic op this.
For this example we will call our app my-app.com and our consumer other-app.com.
The basic idea is that users of our SaaS (my-app.com) who also have an account on other-app.com can provide other-app.com access to retrieve data on my-app.com that belongs to the users of my-app.com.
On my-app.com I install Laravel Passport and under my administrator account I create an OAuth Client for other-saas.com. I provide other-app.com the client ID and Secret. When a user is logged into other-app.com and would like to setup the connection to my-app.com he can click on the link in other-app.com that will initiate the OAuth process and eventually returns to the callback url on other-app.com that wil provide other-app.com with the token and refresh token for this user.
Now other-app.com can make API requests an behalve of our shared user to my-app.com.
Am I right so far?
Now here comes what confuses me: When I login to my administrator account on my-app.com I can view all the OAuth Clients and manage them. But when I logout and my co-worker logs in under his admin account (different user) he’s not able to see any of the clients I created. Why is an OAuth Client bound to ONE single user on my-app.com. This got me so confused that I’m doubting if I setup everything correctly.
Really hope someone can make any sense of this.